Security Advisory

CVE-2026-27811

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2026-03-17 23:43:05
Last updated 2026-03-18 19:53:19
Assigner GitHub_M
State PUBLISHED

Description

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.3, a command injection vulnerability exists in the `/config/compare/<service>/<server_ip>/show` endpoint, allowed authenticated users to execute arbitrary system commands on the app host. The vulnerability exists in `app/modules/config/config.py` on line 362, where user input is directly formatted in the template string that is eventually executed. Version 8.2.6.3 fixes the issue.